ESXi 5.0 – Page 3

That's so cool! Running ESXi 5.0 & 5.1 on Apple Mac Mini

05.31.2012 by William Lam // 39 Comments

Those of you who follow me on twitter should know that I recently got my hands on an Apple Mac Mini Server (Thanks Randy K.) and are probably thinking I would install Apple OSX on the Mini. Nope! I am actually running vSphere ESXi 5.0 or 5.1 on the Mac Mini!

UPDATE (12/21): Yo no longer need to create a customized ESXi ISO for Apple Mac Mini, the necessary drivers are now included in the new ESXi 5.0 Update 2 and will work out of the box. Please take a look at this article for more details.

UPDATE (01/18): To run ESXi 5.1 on Mac Mini 5,1 or 5,3 please follow the same steps outlined below but for an ESXi 5.1 ISO image. If you are trying to run ESXi 5.0 or 5.1 on the new 2012 Apple Mac Mini 6,2 please refer to this blog post for the instructions.

Disclaimer: This is not officially supported by VMware. Use at your own risk.

Note: I did not have a spare monitor at home and luckily the Mac Mini has a DVI output which I was able to connect to my 46" TV. Nothing like ESXi on the big screen 🙂

Even though this is not officially supported by VMware, it is still a very cool solution and the Mac Mini is great form factor for a vSphere home lab. I also want to mention that this was only possible with the research from the folks over at Paraguin Consulting who initially blogged about the process needed to get ESXi 5 running on a Mac Mini. I would highly recommend you check out their blog post which provides additional details as well as a step by step installation guide including screenshots for each step.

I did not have access to an Apple Super Drive which is what the Paraguin folks used in their installation guide, as they thought formatting a USB key would have taken too long ... and who has a CD burner these days? 😉 There is also an additional step that is needed to get network connectivity which requires the user to manually install a network driver on the ESXi host.

I decided to go down the route of using a USB key to perform the installation and using a spare 1GB USB key, I created a custom ESXi installation that included the network driver which allows for network connectivity during and after the installation.

What you will need:

vSphere ESXi 5.0 Update 1 Offline Bundle (You can also use ESXi 5.0)
Broadcom NetXtreme I Gigabit Ethernet Driver (tg3-3.120h.v50.2)
PowerCLI Image Builder (there are some other free tools that allows you to add drivers, but did not work well with UNetbootin)
UNetbootin

Step 1 - Extract the offline bundle "tg3-3.120h.v50.2-offline_bundle-547149.zip" from Broadcom zip file

Step 2 - Use Image Builder to add the Broadcom driver and create a custom ESXi 5 ISO (steps taken from this VMware KB article)

# Add the ESXi 5.0 Update 1 Offline Bundle

Add-EsxSoftwareDepot "C:\VMware-ESXi-5.0.0-623860-depot.zip"

# Add the Broadcom Offline VIB

Add-EsxSoftwareDepot "C:\tg3-3.120h.v50.2-offline_bundle-547149.zip"

# Create a new Image Profile (in example, I'm using the full version w/tools)

New-EsxImageProfile -CloneProfile "ESXi-5.0.0-623860-standard" -name "ESXi50u1-Custom"

# Add the broadcom driver to our Image Profile

Add-EsxSoftwarePackage -ImageProfile "ESXi50u1-Custom" -SoftwarePackage "net-tg3"

# Create an ISO from our custom Image Profile

Export-EsxImageProfile -ImageProfile "ESXi50u1-Custom" -ExportToISO -filepath C:\VMware-ESXi-5.0u1-Custom.iso

Step 3 - Plug in a USB key into your system and run UNetbootin which will take the custom ISO we just created and make it bootable on the USB key

Step 4 - Finally, power on your Mac Mini and plug in the USB key. You can either hold the "Alt/Option" key while the system is booting and select the EFI volume OR just plug the USB key and the ESXi installer should automatically start up.

After a few minutes, you should now have ESXi 5 running on your Mac Mini, here is my setup:

Note: If you wish to add a custom kickstart file so it automatically installs and configures the host, take a look at this blog post for the details. If you want the Mac Mini to automatically boot from USB without having to press the "Alt/Option" key after installation, you can set the default boot device by following this article here.

Since you are running ESXi on Apple hardware, you can also create Mac OSX Virtual Machines (10.5 Server and 10.6 Server) and with the latest release of vSphere 5.0 Update 1, OSX 10.7 (Lion) is now officially supported. To install OSX 10.7 as a VM, make sure you follow the instructions here.

Here is a screenshot of running OSX Lion 64bit as a VM running on ESXi 5 running on a Mac Mini 😀

If you are looking to refresh your vSphere home lab, definitely consider looking at the Mac Mini, which can get up to a max of 16GB of memory. Also if you are wondering if other people are doing this, I would recommend you check out Christopher Well's vSamarai blog here which details his experience using the Mac Mini as well as voting for his VMworld CFP which will also include topic about running ESXi on Mac Mini.

I want to thank Randy K. again for lending me the Mac Mini, you rock dude! Hopefully this will not be the last article about the Mac Mini 😉

Additional Resources:

vSphere Security Hardening Report Script for vSphere 5

04.23.2012 by William Lam // 10 Comments

The much anticipated vSphere 5 Security Hardening Guide was just released last week by VMware and includes several new guidelines for the vSphere 5 platform. In addition to the new guidelines, you will also find that the old vSphere 4.x guideline identifiers (e.g. VMX00, COS00, VCENTER00) are no longer being used and have been replaced by a new set of identifiers. You might ask why the change? Though I can not provide any specifics, but rest assure this has been done for a very good reason. There is also a change in the security guidance levels, in the vSphere 4.x guide, you had enterprise, SSLF and DMZ and with the vSphere 5 guide, you now have profile1, profile2 and profile3 where profile1 provides the most secure guidelines. To get a list of all the guideline changes between the 4.1 and 5.0 Security Hardening Guide, take a look at this document here.

I too was impacted by these changes as it meant I had to add additional logic and split up certain guidelines to support both the old and new identifiers in my vSphere Security Hardening Script. One of the challenges I faced with the old identifiers and creating my vSphere Security Hardening Script is that a single ID could be applicable for several independent checks and this can make it difficult to troubleshoot. I am glad that each guideline is now an individual and unique ID which should also make it easier for users to interpret.

To help with your vSphere Security Hardening validation, I have updated my security hardening script to include the current public draft of the vSphere 5 Security Hardening Guide. You can download the script here.

Disclaimer: This script is not officially supported by VMware, please test this in a development environment before using on production systems.

The script now supports both a vSphere 4.x environment as well as vSphere 5.0 environment. In addition to adding the new guideline checks and enhancing a few older ones, I have also included two additional checks that are not in Hardening Guide which is to verify an ESX(i) host or vCenter Server's SSL certificate expiry. I recently wrote an article on the topic here, but thought this would be a beneficial check to include in my vSphere Security Hardening Script. If you would like to see the verification of SSL certificate expiry in the official vSphere 5 Security Hardening Guide, please be sure to provide your feedback here.

Here is a sample output for the Security Hardening Report for a vSphere 5 environment using "profile2" check:
vmwarevSphereSecurityHardeningReport-SAMPLE.html

UPDATE (06/03/12): VMware just released the official vSphere 5 Security Hardening Guide this week and I have also updated my script to include all modifications. If there are any feedback/bug reports, please post them in the vSphere Security Hardening Report VMTN Group.

If you have any feedback/questions, please join the vSphere Security Hardening Report VMTN Group for further discussions.

Extracting SSL Thumbprint from ESXi

04.15.2012 by William Lam // 13 Comments

While browsing the VMTN forums earlier this week, I noticed an interesting request from a user who was trying to compile an inventory of the SHA1 Thumbprints for all his ESXi hosts. The challenge the user had, was that he was capturing this information manually by "looking" at the DCUI screen which is where the SHA1 Thumbprint for an ESXi host is displayed by default.

As you might have guessed, this can be very tedious and error prone by copying down this very long string by just looking at the screen. Even if you do not make a mistake copying this long string, I bet your eyes will eventually give out. Luckily, there are a few ways to retrieve this information and I will show you some methods to help automate this across all of your ESXi hosts.

UPDATE (05/22/16) - Here's how you can extract SSL Thumbprint using PowerShell

Option 1 - Retrieve SSL Thumbprint using the DCUI as shown above, this is going to be the most manual method.

Option 2 - If you have remote SSH or direct console access to ESXi Shell, you can login to your ESXi host and using openssl utility, you can retrieve the SSL Thumbprint which you can then use or copy off to a remote host.

openssl x509 -in /etc/vmware/ssl/rui.crt -fingerprint -sha1 -noout

Option 3 - You can remotely retrieve the SSL Thumbprint by leveraging just the openssl utility and you do not even need to login to the ESXi host. This not only allows you to retrieve the SSL Thumbprint from a centralized location, but you can easily automate this across all your hosts.

echo -n | openssl s_client -connect 172.30.0.252:443 2>/dev/null | openssl x509 -noout -fingerprint -sha1

Using Option 3, you can easily wrap this in a simple "for" loop to iterate through all your ESXi hosts as long as you have either the hostname/IP Address. Here is a simple shell script that you can use to iterate through all your ESXi hosts to extract the SSL Thumbprint.

In the script above, I have a list of three ESXi hosts and it is simply going through each host and executing the two commands to extract the SSL Thumbprint and displaying it on the screen.

Option 4 - You can also retrieve the SSL Thumbprint using the vSphere API, but the property is only displayed when it is connected to a vCenter Server. There is a property on the ESXi host called sslThumbprint that is populated when querying against the vCenter Server that is managing the ESXi host. You can use the vSphere Health Check script which captures this and other useful information about your vSphere infrastructure.

As you can see, there are several options on obtaining the SSL Thumbprint for an ESXi host, you definitely do not have to manually read it off the DCUI screen. Automation FTW again! 🙂